2020-04-01 |
Enable MTE support
...
Enable MTE support by adding memory tag option in Makefile
This option is available only when ARMv8.5-MemTag is implemented
MTE options are added in latest clang and armclang compiler which
support below options:
for clang <version 11.0.0>
1. -march=arm8.5-a+memtag
2. -fsanitize=memtag
for armclang <version 6.12>
1. -march=arm8.5-a+memtag
2. -mmemtag-stack
Set the option SUPPORT_STACK_MEMTAG=yes to enable memory stack tagging.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I4e0bbde4e9769ce03ead6f550158e22f32c1c413
Manish V Badarkhe
authored
on 22 Mar 2020
Sandrine Bailleux
committed
on 1 Apr 2020
|
2020-03-16 |
fconf: Clean Arm IO
...
Merge the previously introduced arm_fconf_io_storage into arm_io_storage. This
removes the duplicate io_policies and functions definition.
This patch:
- replace arm_io_storage.c with the content of arm_fconf_io_storage.c
- rename the USE_FCONF_BASED_IO option into ARM_IO_IN_DTB.
- use the ARM_IO_IN_DTB option to compile out io_policies moved in dtb.
- propagate DEFINES when parsing dts.
- use ARM_IO_IN_DTB to include or not uuid nodes in fw_config dtb.
- set the ARM_IO_IN_DTB to 0 by default for fvp. This ensure that the behavior
of fvp stays the same as it was before the introduction of fconf.
Change-Id: Ia774a96d1d3a2bccad29f7ce2e2b4c21b26c080e
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Louis Mayencourt
committed
on 16 Mar 2020
|
2020-03-06 |
Makefile: Add support to optionally encrypt BL31 and BL32
...
Following build flags have been added to support optional firmware
encryption:
- FW_ENC_STATUS: Top level firmware's encryption numeric flag, values:
0: Encryption is done with Secret Symmetric Key (SSK) which is
common for a class of devices.
1: Encryption is done with Binding Secret Symmetric Key (BSSK) which
is unique per device.
- ENC_KEY: A 32-byte (256-bit) symmetric key in hex string format. It
could be SSK or BSSK depending on FW_ENC_STATUS flag.
- ENC_NONCE: A 12-byte (96-bit) encryption nonce or Initialization Vector
(IV) in hex string format.
- ENCRYPT_BL31: Binary flag to enable encryption of BL31 firmware.
- ENCRYPT_BL32: Binary flag to enable encryption of Secure BL32 payload.
Similar flags can be added to encrypt other firmwares as well depending
on use-cases.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Change-Id: I94374d6830ad5908df557f63823e58383d8ad670
Sumit Garg
committed
on 6 Mar 2020
|
drivers: crypto: Add authenticated decryption framework
...
Add framework for autheticated decryption of data. Currently this
patch optionally imports mbedtls library as a backend if build option
"DECRYPTION_SUPPORT = aes_gcm" is set to perform authenticated decryption
using AES-GCM algorithm.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Change-Id: I2966f0e79033151012bf4ffc66f484cd949e7271
Sumit Garg
committed
on 6 Mar 2020
|
2020-03-03 |
SPMD: add command line parameter to run SPM at S-EL2 or S-EL1
...
Added SPMD_SPM_AT_SEL2 build command line parameter.
Set to 1 to run SPM at S-EL2.
Set to 0 to run SPM at S-EL1 (pre-v8.4 or S-EL2 is disabled).
Removed runtime EL from SPM core manifest.
Change-Id: Icb4f5ea4c800f266880db1d410d63fe27a1171c0
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
Max Shvetsov
committed
on 3 Mar 2020
|
2020-03-02 |
SPMD: save/restore EL2 system registers.
...
NOTE: Not all EL-2 system registers are saved/restored.
This subset includes registers recognized by ARMv8.0
Change-Id: I9993c7d78d8f5f8e72d1c6c8d6fd871283aa3ce0
Signed-off-by: Jose Marinho <jose.marinho@arm.com>
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
Max Shvetsov
committed
on 2 Mar 2020
|
2020-02-24 |
Read-only xlat tables for BL31 memory
...
This patch introduces a build flag which allows the xlat tables
to be mapped in a read-only region within BL31 memory. It makes it
much harder for someone who has acquired the ability to write to
arbitrary secure memory addresses to gain control of the
translation tables.
The memory attributes of the descriptors describing the tables
themselves are changed to read-only secure data. This change
happens at the end of BL31 runtime setup. Until this point, the
tables have read-write permissions. This gives a window of
opportunity for changes to be made to the tables with the MMU on
(e.g. reclaiming init code). No changes can be made to the tables
with the MMU turned on from this point onwards. This change is also
enabled for sp_min and tspd.
To make all this possible, the base table was moved to .rodata. The
penalty we pay is that now .rodata must be aligned to the size of
the base table (512B alignment). Still, this is better than putting
the base table with the higher level tables in the xlat_table
section, as that would cost us a full 4KB page.
Changing the tables from read-write to read-only cannot be done with
the MMU on, as the break-before-make sequence would invalidate the
descriptor which resolves the level 3 page table where that very
descriptor is located. This would make the translation required for
writing the changes impossible, generating an MMU fault.
The caches are also flushed.
Signed-off-by: Petre-Ionut Tudor <petre-ionut.tudor@arm.com>
Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466
Petre-Ionut Tudor
committed
on 24 Feb 2020
|
2020-02-07 |
fconf: Move platform io policies into fconf
...
Use the firmware configuration framework to store the io_policies
information inside the configuration device tree instead of the static
structure in the code base.
The io_policies required by BL1 can't be inside the dtb, as this one is
loaded by BL1, and only available at BL2.
This change currently only applies to FVP platform.
Change-Id: Ic9c1ac3931a4a136aa36f7f58f66d3764c1bfca1
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Louis Mayencourt
committed
on 7 Feb 2020
|
2020-01-30 |
Merge changes from topic "sb/select-cot" into integration
...
* changes:
Introduce COT build option
cert_create: Remove references to TBBR in common code
cert_create: Introduce COT build option
cert_create: Introduce TBBR CoT makefile
Sandrine Bailleux
authored
on 30 Jan 2020
TrustedFirmware Code Review
committed
on 30 Jan 2020
|
2020-01-29 |
Introduce COT build option
...
Allows to select the chain of trust to use when the Trusted Boot feature
is enabled. This affects both the cert_create tool and the firmware
itself.
Right now, the only available CoT is TBBR.
Change-Id: I7ab54e66508a1416cb3fcd3dfb0f055696763b3d
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Sandrine Bailleux
committed
on 29 Jan 2020
|
2020-01-28 |
Measured Boot: add function for hash calculation
...
This patch adds 'calc_hash' function using Mbed TLS library
required for Measured Boot support.
Change-Id: Ifc5aee0162d04db58ec6391e0726a526f29a52bb
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
Alexei Fedorov
committed
on 28 Jan 2020
|
2019-12-29 |
bl31: Split into two separate memory regions
...
Some platforms are extremely memory constrained and must split BL31
between multiple non-contiguous areas in SRAM. Allow the NOBITS
sections (.bss, stacks, page tables, and coherent memory) to be placed
in a separate region of RAM from the loaded firmware image.
Because the NOBITS region may be at a lower address than the rest of
BL31, __RW_{START,END}__ and __BL31_{START,END}__ cannot include this
region, or el3_entrypoint_common would attempt to invalidate the dcache
for the entire address space. New symbols __NOBITS_{START,END}__ are
added when SEPARATE_NOBITS_REGION is enabled, and the dcached for the
NOBITS region is invalidated separately.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Change-Id: Idedfec5e4dbee77e94f2fdd356e6ae6f4dc79d37
Samuel Holland
committed
on 29 Dec 2019
|
2019-12-20 |
Merge "debugfs: add 9p device interface" into integration
Mark Dykes
authored
on 20 Dec 2019
TrustedFirmware Code Review
committed
on 20 Dec 2019
|
spm: Remove SPM Alpha 1 prototype and support files
...
The Secure Partition Manager (SPM) prototype implementation is
being removed. This is preparatory work for putting in place a
dispatcher component that, in turn, enables partition managers
at S-EL2 / S-EL1.
This patch removes:
- The core service files (std_svc/spm)
- The Resource Descriptor headers (include/services)
- SPRT protocol support and service definitions
- SPCI protocol support and service definitions
Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Paul Beesley
authored
on 14 Oct 2019
Manish Pandey
committed
on 20 Dec 2019
|
Remove dependency between SPM_MM and ENABLE_SPM build flags
...
There are two different implementations of Secure Partition
management in TF-A. One is based on the "Management Mode" (MM)
design, the other is based on the Secure Partition Client Interface
(SPCI) specification. Currently there is a dependency between their
build flags that shouldn't exist, making further development
harder than it should be. This patch removes that
dependency, making the two flags function independently.
Before: ENABLE_SPM=1 is required for using either implementation.
By default, the SPCI-based implementation is enabled and
this is overridden if SPM_MM=1.
After: ENABLE_SPM=1 enables the SPCI-based implementation.
SPM_MM=1 enables the MM-based implementation.
The two build flags are mutually exclusive.
Note that the name of the ENABLE_SPM flag remains a bit
ambiguous - this will be improved in a subsequent patch. For this
patch the intention was to leave the name as-is so that it is
easier to track the changes that were made.
Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Paul Beesley
authored
on 16 Sep 2019
Manish Pandey
committed
on 20 Dec 2019
|
2019-12-17 |
debugfs: add 9p device interface
...
The 9p interface provides abstraction layers allowing the software
that uses devices to be independent from the hardware.
This patch provides a file system abstraction to link drivers to their
devices and propose a common interface to expose driver operations to
higher layers. This file system can be used to access and configure a
device by doing read/write operations.
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: Ia9662393baf489855dc0c8f389fe4a0afbc9c255
Olivier Deprez
committed
on 17 Dec 2019
|
2019-12-02 |
Enable Link Time Optimization in GCC
...
This patch enables LTO for TF-A when compiled with GCC.
LTO is disabled by default and is enabled by
ENABLE_LTO=1 build option.
LTO is enabled only for aarch64 as there seem to be
a bug in the aarch32 compiler when LTO is enabled.
The changes in the makefiles include:
- Adding -flto and associated flags to enable LTO.
- Using gcc as a wrapper at link time instead of ld.
This is recommended when using LTO as gcc internally
takes care of invoking the necessary plugins for LTO.
- Adding switches to pass options to ld.
- Adding a flag to disable fix for erratum cortex-a53-843419
unless explicitly enabled. This is needed because GCC
seem to automatically add the erratum fix when used
as a wrapper for LD.
Additionally, this patch updates the TF-A user guide with
the new build option.
Signed-off-by: zelalem-aweke <zelalem.aweke@arm.com>
Change-Id: I1188c11974da98434b7dc9344e058cd1eacf5468
zelalem-aweke
committed
on 2 Dec 2019
|
2019-10-04 |
Fix the CAS spinlock implementation
...
Make the spinlock implementation use ARMv8.1-LSE CAS instruction based
on a platform build option. The CAS-based implementation used to be
unconditionally selected for all ARM8.1+ platforms.
The previous CAS spinlock implementation had a bug wherein the spin_unlock()
implementation had an `sev` after `stlr` which is not sufficient. A dsb is
needed to ensure that the stlr completes prior to the sev. Having a dsb is
heavyweight and a better solution would be to use load exclusive semantics
to monitor the lock and wake up from wfe when a store happens to the lock.
The patch implements the same.
Change-Id: I5283ce4a889376e4cc01d1b9d09afa8229a2e522
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Soby Mathew
authored
on 25 Sep 2019
Olivier Deprez
committed
on 4 Oct 2019
|
2019-09-12 |
Invalidate dcache build option for bl2 entry at EL3
...
Some of the platform (ie. Agilex) make use of CCU IPs which will only be
initialized during bl2_el3_early_platform_setup. Any operation to the
cache beforehand will crash the platform. Hence, this will provide an
option to skip the data cache invalidation upon bl2 entry at EL3
Signed-off-by: Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>
Change-Id: I2c924ed0589a72d0034714c31be8fe57237d1f06
Hadi Asyrafi
authored
on 20 Aug 2019
Soby Mathew
committed
on 12 Sep 2019
|
Merge changes from topic "jc/mte_enable" into integration
...
* changes:
Add documentation for CTX_INCLUDE_MTE_REGS
Enable MTE support in both secure and non-secure worlds
Soby Mathew
authored
on 12 Sep 2019
TrustedFirmware Code Review
committed
on 12 Sep 2019
|
2019-09-11 |
Add UBSAN support and handlers
...
This patch adds support for the Undefined Behaviour sanitizer. There are
two types of support offered - minimalistic trapping support which
essentially immediately crashes on undefined behaviour and full support
with full debug messages.
The full support relies on ubsan.c which has been adapted from code used
by OPTEE.
Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
Justin Chadwell
committed
on 11 Sep 2019
|
2019-09-09 |
Enable MTE support in both secure and non-secure worlds
...
This patch adds support for the new Memory Tagging Extension arriving in
ARMv8.5. MTE support is now enabled by default on systems that support
at EL0. To enable it at ELx for both the non-secure and the secure
world, the compiler flag CTX_INCLUDE_MTE_REGS includes register saving
and restoring when necessary in order to prevent register leakage
between the worlds.
Change-Id: I2d4ea993d6b11654ea0d4757d00ca20d23acf36c
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
Justin Chadwell
committed
on 9 Sep 2019
|
2019-06-28 |
Remove MULTI_CONSOLE_API flag and references to it
...
The new API becomes the default one.
Change-Id: Ic1d602da3dff4f4ebbcc158b885295c902a24fec
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
Ambroise Vincent
committed
on 28 Jun 2019
|
2019-06-26 |
Console: removed legacy console API
...
This interface has been deprecated in favour of MULTI_CONSOLE_API.
Change-Id: I6170c1c8c74a890e5bd6d05396743fe62024a08a
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
Ambroise Vincent
committed
on 26 Jun 2019
|
2019-05-24 |
Add support for Branch Target Identification
...
This patch adds the functionality needed for platforms to provide
Branch Target Identification (BTI) extension, introduced to AArch64
in Armv8.5-A by adding BTI instruction used to mark valid targets
for indirect branches. The patch sets new GP bit [50] to the stage 1
Translation Table Block and Page entries to denote guarded EL3 code
pages which will cause processor to trap instructions in protected
pages trying to perform an indirect branch to any instruction other
than BTI.
BTI feature is selected by BRANCH_PROTECTION option which supersedes
the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication
and is disabled by default. Enabling BTI requires compiler support
and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0.
The assembly macros and helpers are modified to accommodate the BTI
instruction.
This is an experimental feature.
Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3
is now made as an internal flag and BRANCH_PROTECTION flag should be
used instead to enable Pointer Authentication.
Note. USE_LIBROM=1 option is currently not supported.
Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
Alexei Fedorov
committed
on 24 May 2019
|
2019-05-02 |
build_macros: Add mechanism to prevent bin generation.
...
On certain platforms it does not make sense to generate
TF-A binary images. For example a platform could make use of serveral
memory areas, which are non-continuous and the resulting binary
therefore would suffer from the padding-bytes.
Typically these platforms use the ELF image.
This patch introduces a variable DISABLE_BIN_GENERATION, which
can be set to '1' in the platform makefile to prevent the binary
generation.
Signed-off-by: Christoph Müllner <christophm30@gmail.com>
Change-Id: I62948e88bab685bb055fe6167d9660d14e604462
Christoph Müllner
committed
on 2 May 2019
|
2019-02-28 |
Minor changes to documentation and comments
...
Fix some typos and clarify some sentences.
Change-Id: Id276d1ced9a991b4eddc5c47ad9a825e6b29ef74
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Antonio Nino Diaz
committed
on 28 Feb 2019
|
2019-02-27 |
Add support for pointer authentication
...
The previous commit added the infrastructure to load and save
ARMv8.3-PAuth registers during Non-secure <-> Secure world switches, but
didn't actually enable pointer authentication in the firmware.
This patch adds the functionality needed for platforms to provide
authentication keys for the firmware, and a new option (ENABLE_PAUTH) to
enable pointer authentication in the firmware itself. This option is
disabled by default, and it requires CTX_INCLUDE_PAUTH_REGS to be
enabled.
Change-Id: I35127ec271e1198d43209044de39fa712ef202a5
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Antonio Nino Diaz
committed
on 27 Feb 2019
|
Add ARMv8.3-PAuth registers to CPU context
...
ARMv8.3-PAuth adds functionality that supports address authentication of
the contents of a register before that register is used as the target of
an indirect branch, or as a load.
This feature is supported only in AArch64 state.
This feature is mandatory in ARMv8.3 implementations.
This feature adds several registers to EL1. A new option called
CTX_INCLUDE_PAUTH_REGS has been added to select if the TF needs to save
them during Non-secure <-> Secure world switches. This option must be
enabled if the hardware has the registers or the values will be leaked
during world switches.
To prevent leaks, this patch also disables pointer authentication in the
Secure world if CTX_INCLUDE_PAUTH_REGS is 0. Any attempt to use it will
be trapped in EL3.
Change-Id: I27beba9907b9a86c6df1d0c5bf6180c972830855
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Antonio Nino Diaz
committed
on 27 Feb 2019
|
2019-02-05 |
Introduce build option to override libc
...
This patch introduces a build option 'OVERRIDE_LIBC' that platforms
can set to override libc from the BL image. The default value is '0'
to keep the library.
Change-Id: I10a0b247f6a782eeea4a0359e30a8d79b1e9e4e1
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Varun Wadekar
committed
on 5 Feb 2019
|